MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-07-05 13:25:20 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
e03ced99c4
linux-yocto/kernel/module
History
Thorsten Leemhuis e62c31802d module: sign with sha512 instead of sha1 by default 
commit f3b93547b91ad849b58eb5ab2dd070950ad7beb3 upstream.

Switch away from using sha1 for module signing by default and use the
more modern sha512 instead, which is what among others Arch, Fedora,
RHEL, and Ubuntu are currently using for their kernels.

Sha1 has not been considered secure against well-funded opponents since
2005[1]; since 2011 the NIST and other organizations furthermore
recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora
Linux 41+[3], and likely some other current and future distributions
reject the creation of sha1 signatures, which leads to a build error of
allmodconfig configurations:

  80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342:
  make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1
  make[4]: *** Deleting file 'certs/signing_key.pem'
  make[4]: *** Waiting for unfinished jobs....
  make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2
  make[2]: *** [.../Makefile:1936: .] Error 2
  make[1]: *** [.../Makefile:224: __sub-make] Error 2
  make[1]: Leaving directory '...'
  make: *** [Makefile:224: __sub-make] Error 2

This change makes allmodconfig work again and sets a default that is
more appropriate for current and future users, too.

Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [1]
Link: https://csrc.nist.gov/projects/hash-functions [2]
Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [3]
Signed-off-by: Thorsten Leemhuis <linux@leemhuis.info>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Tested-by: kdevops <kdevops@lists.linux.dev> [0]
Link: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330 [0]
Link: https://lore.kernel.org/r/52ee32c0c92afc4d3263cea1f8a1cdc809728aff.1729088288.git.linux@leemhuis.info
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-05-02 07:58:51 +02:00
..
debug_kmemleak.c module: Refine kmemleak scanned areas 2024-09-13 09:55:17 -07:00
decompress.c module/decompress: use kvmalloc() consistently 2023-11-02 07:35:39 -10:00
dups.c module: Remove redundant TASK_UNINTERRUPTIBLE 2023-12-19 13:30:28 -08:00
internal.h module: Don't ignore errors from set_memory_XX() 2024-02-16 11:30:43 -08:00
kallsyms.c kallsyms: rework symbol lookup return codes 2024-06-27 17:43:40 +02:00
Kconfig module: sign with sha512 instead of sha1 by default 2025-05-02 07:58:51 +02:00
kdb.c module: replace module_layout with module_memory 2023-03-09 12:55:15 -08:00
kmod.c module: add debugging auto-load duplicate module support 2023-04-19 17:26:01 -07:00
livepatch.c livepatch: fix ELF typos 2023-03-09 11:08:24 +01:00
main.c module: Don't fail module loading when setting ro_after_init section RO failed 2025-02-08 09:57:58 +01:00
Makefile module: Fix KCOV-ignored file name 2024-08-08 17:36:35 +02:00
procfs.c module: replace module_layout with module_memory 2023-03-09 12:55:15 -08:00
signing.c
stats.c module: Fix comment typo 2023-11-01 13:07:08 -07:00
strict_rwx.c module: Don't ignore errors from set_memory_XX() 2024-02-16 11:30:43 -08:00
sysfs.c module: abort module loading when sysfs setup suffer errors 2024-09-13 09:55:17 -07:00
tracking.c module: add debug stats to help identify memory pressure 2023-04-18 11:15:24 -07:00
tree_lookup.c module: replace module_layout with module_memory 2023-03-09 12:55:15 -08:00
version.c